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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
our privacy notice 


Q1 Is the draft code clear and easy to understand? 


Yes 
xX No 


If no please explain why and how we could improve this: 


Overall the code is clear and straightforward, however, there are a number of areas 
where it could be improved. We have listed these below: 


Focus on legal/regulatory requirements rather than best practice 
recommendations. The inclusion of only best practice recommendation examples in the 
code, rather than also giving lawful examples, causes unnecessary confusion and could be 
very detrimental as cannot account for nuances in individual organisations. Our view is 
that the code should focus on the law and clearly explain what organisations need to 
consider in their direct marketing practices rather than giving opinions on what is ‘best’. 
The summary section should reflect the important distinction between compliance with 
the law and good practice recommendations in relation to enforcement action. 


Interpret the law rather than give opinion. The code makes several sweeping 
assumptions about what it considers to be ‘unlikely’ to be fair/lawful. It would be good to 
give a more balanced view by also including examples of where it was fair/lawful. 
Currently the way the examples are written gives the impression that any other 
approaches are inherently unlawful which is not the case. 


Understand that the general public is made up of individuals. The code treats the 
general public as one homogenous group and sets the bar of knowledge and 
understanding at an extremely low level. It would be more helpful if the code recognised 
that, while everyone has the same privacy rights, everyone doesn’t necessarily have the 
same knowledge or expectations regarding the use of their personal data. 


Make the code enabling rather than prescriptive. It would be more helpful if the 
code adopted the same approach as the current online guidance which focuses on 
accountability and evidenced based approach. This code should provide a framework to 
aid informed decision making and accountability rather than dictating prescriptive 
practice. This approach would also future-proof the guidance, especially in relation to 
online advertising and new technologies. 


Q2 Does the draft code contain the right level of detail? (When answering 
please remember that the code does not seek to duplicate all our existing data 
protection and e-privacy guidance) 


xX Yes 
No 


If no please explain what changes or improvements you would like to see? 


Overall the draft code gives an appropriate level of detail although further clarity is 
needed in some areas. See answer to Q3. The draft code is long and repeats itself in a 


number of places. This could be improved by implementing the points in the answer to 


Q1. 


Q3 Does the draft code cover the right issues about direct marketing? 
xX Yes 


The draft code covers the right issues, however further clarity is needed in a number of 
areas: 


Social media - currently the codes puts all social activity under one ‘social media’ 
umbrella and does not reflect the significant differences in interactions across different 
platforms. 


Privacy notice timing to prospective major donors - We are concerned by the 
suggestion that using public sources to enrich data held about supporters, brings the data 
in scope of personal data, which requires notice to be served to the donor in advance of 
this processing. Our advice has been that in respect of major donors prospect research it 
would be disproportionate to serve this notice to all donors since it will not apply in most 
cases, you will not know the relevance of the research until you have done it and it 
should be adequate to reference that you may undertake these activities in respect of 
high net worth individuals in your Privacy notice online. Research has also demonstrated 
the major donors expect some research to have been carried out before the charity 
makes contact. 


‘Directed to particular individuals’ - greater clarity is required on what this means, 
i.e. is it only where a specific individual is personally identifiable? 


Donor segmentation - We are concerned that donor segmentation using profiling and 
analysis has been cited as an example of automated processing, when the legal definition 
suggests that Processing is “automated” where it is carried out without human 
intervention and where it produces legal effects or significantly affects you. Profiling and 
analysis can be carried out with significant human intervention and we would welcome 
examples to support the lawful basis on which these activities can be undertaken. The 
GDPR also distinguishes between solely automated processing and automated decision 


‘Intrusive’ profiling (p58) - we would welcome more clarity on what is considered to 
be ‘intrusive’ and examples of where you can apply legitimate interest for profiling 
deemed non-intrusive for direct marketing purposes, e.g. postcode sector level. 


Direct marketing by post - the code implies that organisations need to have a pre- 
existing relationship with an individual before they can send them direct mail. Direct mail 
can be sent under legitimate interest regardless of whether there is an existing 
relationship or not. 


Refer a friend - we would welcome more guidance on refer a friend campaigns in 
relation to peer to peer fundraising, particularly in respect of high net worth individuals 


Foundational data activities - greater clarity is required on processing data for direct 
marketing purposes such as data hygiene and administering or processing payments. 


Q4 Does the draft code address the areas of data protection and e-privacy that are 
having an impact on your organisation’s direct marketing practices? 


X Yes 
O No 


If no please outline what additional areas you would like to see covered 


Q5 Is it easy to find information in the draft code? 


x! Yes 
No 


If no, please provide your suggestions on how the structure could be improved: 


The code is extensive and lengthy, but the structure is easy to follow so it is relatively 
easy to access the information needed. 


Q6 Do you have any examples of direct marketing in practice, good or bad, that you 
think it would be useful to include in the code 


Yes 
xX No 


If yes, please provide your direct marketing examples 


Q7 Do you have any other suggestions for the direct marketing code? 


The guidance is vague around ‘Service Messages’ (p.19) and the suggestion of ‘using a 
neutral tone, without any encouragement or promotion’ is unclear. It would be helpful to 
include a specific focus on Gift Aid which is a particularly grey area for charities. The 
advice given to the Charity Tax Group, is that ‘legitimate interest’ is the legal basis for 
processing Gift Aid, including any administrative follow up. Some example scenarios 
where greater clarity would be appreciated are - if a person has asked you not to send 
them direct mail, can you still write to them to ask if they are eligible for Gift Aid? If a 
charity is contacting a donor to confirm details on a Direct Debit form they have 
completed can we about Gift Aid at the same time? In the case of online fundraising, if 
someone hasn't opted in to receive e-mails, could you use the triggered receipt e-mail to 
remind them about Gift Aid? 


The example given on P27 regarding the supermarket is causing concern as it is not clear 
where the liability lies. Also the ‘where possible’ suggestion of it being good practice to 
screen against the charity’s suppression list would mean sharing donor details with the 
supermarket which would seem to be in breach of current data protection regulation. 


About you 


Q8 Are you answering as: 


E 


El 
Xx] 
O 


An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

An individual acting in a professional capacity 

On behalf of an organisation 

Other 


Please specify the name of your organisation: 
British Red Cross 


If other please specify: 


PT 


Q9 How did you find out about this survey? 


a ey gð 


Xx] 


Dea pa gS PF Pf 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


If other please specify: 


Se 


Thank you for taking the time to complete the survey 


